---
title: The Graph of Relations
---

import Mermaid from '@theme/Mermaid'
import RelationTuplePrism from '@theme/RelationTuplePrism'
RelationTuplePrism()

The [relation tuples](./relation-tuples.mdx) of the ACL used by Ory Keto can be
represented as a graph of relations. This graph will help us to understand many
[implications on performance](../performance.mdx) and
[internal algorithms](./internal-algorithms.mdx).

## Definition

The graph consists of three types of nodes. [Object](./objects.mdx) nodes that
represent application objects, intermediary
[subject set](./subjects.mdx#subject-sets) nodes, and
[subject ID](./subjects.mdx#subject-ids) nodes representing individuals. Edges
are directed and represent the relation between an object and subject.

## Example

The following example translates a view relation tuples into the corresponding
graph of relations.

:::note

This example omits the [namespace](./namespaces.mdx) from all data to improve
readability. In practice, the namespace always has to be considered.

:::

```keto-relation-tuples
// user1 has access on dir1
dir1#access@user1
// Have a look on the subjects concept page if you don't know the empty relation.
dir1#parent@(file1#)
// Everyone with access to dir1 has access to file1. This would probably be defined
// through a subject set rewrite that defines this inherited relation globally.
// In this example, we define this tuple explicitly.
file1#access@(dir1#access)
// Direct access on file2 was granted.
file2#access@user1
// user2 is owner of file2
file2#owner@user2
// Owners of file2 have access to it; possibly defined through subject set rewrites.
file2#access@(file2#owner)
```

This is represented by the following graph:

<Mermaid
  chart={`
graph TD
    subgraph obj [Object region]
    A[file1]
    E[dir1] -->|parent| A
    G[file2]
    end
    subgraph subjID [Subject ID region]
    F([user1])
    C([user2])
    end
    A -->|access| B{{dir1#access}}
    B -. file1#access .-> F
    E -->|access| F
    G -->|access| F
    G -->|owner| C
    G -->|access| H{{file2#owner}}
    H -. file2#access .-> C
`}
/>

Solid edges represent explicitly defined relations, while dotted edges represent
relations inherited through a subject set.

## Observations about the Graph

Ory Keto utilizes the following key properties of the graph of relations:

1. **Directed edges from objects to subjects**: This implies a neat arrangement
   with objects in one region, subject IDs in another one, and subject sets in
   between. Edges will always go from the object region towards the subject
   region.
2. **Searching for a possible path is local**: Trying to find a path from an
   object to a subject will always happen locally. This means that it is only
   necessary to traverse the nodes that are successors of the object. In typical
   setups, this means that only a small fraction of the graph has to be
   searched, regardless of the outcome. The intuition here is that the relations
   of user1's files are irrelevant when checking access to user2's files.

Both of these properties are important to ensure
[high performance](../performance.mdx).
